You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Fake Windows "System Restore" virus

Hello all,
I am needing help fixing a computer virus that has taken over my computer. A little background info... it has Windows XP operating system and has had no sign of issues before this. So when surfing the internet today, Internet Explorer randomly shut down, provided an error and the fake Window "System Restore" interface displayed. Among its display, it started to run a "test" saying that I had hard disk drive, RAM, CPU, and Registry Errors upon this check. I figured it was a suspicous interface because I haven't ever seen it before. All links on the start menu disappeared, lost some desktop icons, and couldn't do much outside of the "system restore" interface. Then my computer restarted suddenly and came to a startup screen to display "Start Window Normally", "Last know good configuation", and the multiple "Safemode" options. I tryied all the options and they would begin to load windows for just about a second, then flash a blue screen, then restart. Then do it all over again. So I can't even get pass the windows loading screen. I have no clue what to do. Really frustrated. The thing that makes me the most pissed off is I can't even get pass windows to get to my desktop to try to remove this. Please, if anyone as any removal experience with this virus/malware/spyware... whatever it is, I would appriciate your help.
Thanks, chadwilliams89

Also Download Query.exe to the USB drive. In your working computer, navigate to the USB drive and click on the Query.exe. A folder and a file, query.sh, will be extracted.

Remove the USB & CD and insert them in the sick computer

Boot the Sick computer with the CD you just burned

The computer must be set to boot from the CD

In some computers you need to tap F12 and choose to boot from the CD, in others is the Esc key. Please consult your computer's documentation.

Follow the prompts

A Welcome to xPUD screen will appear

Press File

Expand mnt

sda1,2...usually corresponds to your HDD

sdb1 is likely your USB

Click on the folder that represents your USB drive (sdb1 ?)

Confirm that you see driver.sh that you downloaded there

Press Tool at the top

Choose Open Terminal

Type bash driver.sh

Press Enter

After it has finished a report will be located on your USB drive named report.txt

Then type bash driver.sh -af

Press Enter

You will be prompted to input a filename.

Type the following:

Winlogon.exe

Press Enter

If successful, the script will search for this file.

After it has completed the search enter the next file to be searched

Type the following:

volsnap.sys

Press Enter

If successful, the script will search for this file.

After it has completed the search enter the next file to be searched

Type the following:

explorer.exe

Press Enter

After it has completed the search enter the next file to be searched

Type the following:

Userinit.exe

Press Enter

After the search is completed type Exit and press Enter.

After it has finished a report will be located in the USB drive as filefind.txt

While still in the Open Terminal, type bash query.sh

Press Enter

After it has finished a report will be located in the USB drive as RegReport.txt

Then type dd if=/dev/sda of=mbr.bin bs=512 count=1

Leave a space among the following Statements:

dd is the executable application used to create the backupif=/dev/sda is the device the backup is created from - the hard drive when only one HDD existsof=mbr.bin is the backup file to create - note the lack of a path - it will be created in the directory currently open in the Terminalbs=512 is the number of bytes in the backupcount=1 says to backup just 1 sector

It is extremely important that the if and of statements are correctly entered.

Press Enter

After it has finished a report will be located in the USB drive as mbr.bin

Plug the USB back into the clean computer, zip the mbr.bin, and except for the mbr.bin zipped file, post the contents of the report.txt, filefind.txt and RegReport.txt in your next reply. The mbr.bin zipped file must be attached to your reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!